Newest Ivanti critical vulnerability massively exploited

published: Feb. 5, 2024

Take action: Patch or factory reset (and still patch) your Ivanti Connect Secure and Policy Secure. They are actively being attacked and hacked, and you may have already been hacked.

Learn More

Ivanti is reporting massive active exploitaton of the latest vulnerability impacting its Connect Secure and Policy Secure products - tracked as CVE-2024-21893. The vulnerability has exposed a significant number of Ivanti Connect Secure devices, nearly 22,500, to potential exploitation over the internet. The exact number of devices vulnerable to CVE-2024-21893 remains uncertain.

The scale of this exploitation has seen a notable increase, with threat monitoring entity Shadowserver reporting attempts from 170 distinct IP addresses aiming to exploit this flaw.

The publication of a Proof of Concept (PoC), has accelerated attacks, although Shadowserver observed exploitation efforts predating the release, indicating that some attackers had independently devised methods to exploit CVE-2024-21893.

The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has mandated federal agencies to disconnect and reset all Ivanti Connect Secure and Policy Secure VPN appliances. The directive advises reconnecting only those devices that have undergone a factory reset and have been updated to the latest firmware, leaving older, still vulnerable versions without a patch. While CISA's order directly affects federal agencies, it also strongly implies that private organizations should reassess the security of their Ivanti installations and the overall trustworthiness of their network environments.

Newest Ivanti critical vulnerability massively exploited